Malicious social-engineering attacks are on the rise and branching out far beyond simply targeting the financial sector. While some organizations develop employee-awareness training or solicit pen testing, or use some combination of the two, these preventive tactics can only go so far.
Adopting a “know thy data” approach — in terms of what it is, how valuable it is and where it is — and then focusing on securing it may be the key to surviving the relentless onslaught of attacks.
Remember the ancient Greeks’ “gift” horse to the city of Troy? While a social-engineering attack is by no means new, today this highly effective tool snares its victims through phishing, elicitation and impersonation.
“We freely give out information on the Web in the form of social media, over the phone or just to strangers — often without realizing we’ve just handed an attacker tiny bits of info that can wreak havoc,” said Chris Hadnagy, chief human hacker, president and CEO of Social-Engineer Inc., a firm specializing in social-engineering services and training.
Anyone — even pros — can become a victim of a social-engineering attack. “It’s nearly impossible to detect you’ve been socially engineered,” said Daniel Cohen, head of knowledge delivery and business development for RSA’s FraudAction group, who says malicious social engineering is one of the biggest problems for security. “As long as there’s a conscious interface between man and machine, social engineering will always exist.”
Money is the main reason malicious social engineering is so pervasive. In October 2013, RSA identified more than 62,000 phishing attacks, which raised the bar in terms of number of attacks carried out within a single month. The median takedown time for attacks is 12 hours — worth roughly $300 each hour. During October 2013 alone, phishing attacks netted $233 million.
Read the full story at Search Security